Archive for the ‘jihad’ Category
Vice reported on the Amaq News Agency’s hack and dissemination of malware last week and the report really kind of fails to do much more than attempt to amplify the booga booga of the whole affair. I thought I would go hunt down the sample(s) of the malware and have a looksee for myself. Which is exactly what I did and located two samples of malware that are from other domains owned by the same players. What follows is a run down of those samples (I was unable to find the one mentioned in the story as of yet but did locate the VT assessment of it) and a fuller deconstruction of the domains involved.
As some of you may know, Amaq is just the news site for the dissemination of propaganda so this would be a good target for someone to go after, infect, and hopefully reap the rewards of anyone stupid enough to install the file that was being served out. Interestingly though the malware mentioned in the piece on the 30th is a flash update and the malware I located on the other attached domains is an .apk file that allegedly is for a flash update? In any event, my first impression from the Vice piece was that it was derptastic. You are going to use a 2013 rat that everyone see’s to pwn an alleged 600 click happy jihadi’s?
Right so as the Vice article says the malware was easily seen by a multitude of AV products so really, you are hitting the lowest common denominator here if they click on it and have no AV at all. Of course if you were aiming at phones that would be different but this was an executable binary so.. uhh.. Duh? Right, well the malware in the story was ostensibly just an update to Flash if what has been posted is in fact true. I went to the site listed in the shortlink and no joy on that, nothing there anymore.
After checking the domain jiko.at from the url that was serving the malware last week I began tracking down the owner data. What came from that is that the email address of firstname.lastname@example.org is a throw away account as far as I can tell with only three domains being registered with it. Once you look though, you can see that more domains actually had been created by the same actor using the name “dertou” as well. Those domains are ad13.de, amaqqq.xyz, baqiyy.at, and jkikkia.at.
Without going too far down the rabbit hole here I just wanted to point out that these addresses were all created on the 29th of March and deployed along with the other exploit it seems. One of the domains is still live and are serving out the malware:
Now this address would match up with the attempts at trying to get amaq users to go to a bad squatted address and this is where I got the malware I mentioned above (details below) The other domains are all interesting in that some have names that are close to such things as the Da’esh magazine “Baqiya” but others like ad13.de have nothing to do with all that and in fact ad13 is much much older a domain. Ad13 was originally created in around 2013 and was decomissioned around October 2016 with changes made to the domain in July 2016.
When I started looking up the list.ru address I hit a road block for now but I will keep poking at that because I feel that this person is one of the key players if not the key player here. Otherwise there is the usual obfuscation going on with the other addresses out there and as such I am just going to drop them for now. Instead, I will look at the malware and where that is making calls to after dumping the IOC’s on you all.
Here you go!
https://www.hybrid-analysis.com/sample/b641c03fe4334d7c0045db7db70fd7d1c8756ba5a50f35a6ec5257bd533c1630?environmentId=100 –> Malware
https://malwr.com/analysis/OTllNDU5YjNkYzVlNDFhOWI1Yzc2YWY0ZWI3NWY0N2Q/ –> Malware
https://virustotal.com/en/file/379cd2fed583c183fc1c5d1597421642f8e6b15af74ec58348e40ee80f227b25/analysis/1490880990/ —> Malware
https://www.hybrid-analysis.com/sample/b641c03fe4334d7c0045db7db70fd7d1c8756ba5a50f35a6ec5257bd533c1630?environmentId=100 –> Malware
The malware sample I got from the amaq xyz site was named FlashPlayer8x86_x64.exe and downloads as an .apk (Android) file by name obfuscation from the url. Once run it attempts to contact several domains and IP addresses for the second stage.
These addresses don’t actually have sites on them so they are just C2 and in the case of the original malware in the Vice piece there was a site with a gate.php address which may have been an IP collection point or a second stage malware install site. None of these though have the gate.php and the fact that this site is still working makes me think that perhaps this was to be the second wave of attacks had not Vice and other sources reported on the hack. Perhaps though because it is still live the hackers plan on another attempt at going back to the well no?
Overall the sites have been updated recently but have been around a while. The malware is easily detectable by AV, and the RAT is old so was this a real attempt at harvesting or was this some sort of pranksterism or PSYOP? Frankly I can see it both being semi-experienced hackers doing this or more astute actors using easily seen malware to perhaps scare users into not looking at the site anymore. That I could track it back so far to the list.ru user to me says that there may be more to this if I dig further but then I have to be that interested in who may be fucking with amaq.
The fact of the matter is Da’esh is losing ground and losing the interest of those who think they are a righteous Caliphate because they are losing ground. The attempts to garner more lone wolves and perpetuate the jihad with these guys has been too plagiaristic for me. Basically Da’esh stole AQAP’s model but carried it off with less style so once they lose Raqqa they will lose a great deal of cred online in my opinion. Perhaps then they will be less of a threat on the GWOT in that respect… Maybe not.
Anyway, yeah, these guys are soft targets and not the sharpest tools in the tool box so hacking them has never been a challenge. All these insecure PHP sites and their users are easy pickins really so this is a non story to me. It is more interesting to me who may be trying to fuck with them and to determine why exactly. Is this the IC trying to deter them or is this an OpISIS kind of thing?
I am still deciding…
Ahmad Rahami, the new jihadi wannabe lone wolf du jour made a splash with his bombings of a dumpster and a trash bin on CNN and the other media outlets but let’s really take a closer look at Ahmed and his mindset with the release of his ersatz “journal of jihad” shall we? First off, I am tired of the media coverage and while this was serious, it just show’s you the level of recruit and planning that AQAP/AQ/da’esh have in the US presently and to wit, not very high. Frankly, looking at his journal pieces here I can only surmise that if Ahmad doesn’t have some sort of personality disorder it would greatly surprise me. On the other end of that spectrum, Ahmad clearly is a failed seeker acting out within the confines of his chicken shop malcontent diaspora in search of importance.
Ahmad opines the usual catch phrase diatribes seen in Inspire or Dabiq and on the web in general on the boards but seems to not really have a greater grasp of his own religion than most of the daeshbag recruits these days. Clearly he has been suckling at the tit of the jihadi propaganda machine and in fact had close contact with recruiters in Afghanistan and Pakistan where he spent a good deal of time in recent years on and off. These guys look for recruits who have weak wills and minds that can be easily swayed. Minds and hearts, ego’s in search of self importance that they lack presently but are told that they will be martyrs for the greater cause if they blow themselves or the far enemy up and it is bullshit.
All of the propaganda placed by these Khawarij are just a mental virus, neuro-linguistic programming, used to prey on the weak minded souls out there, those failed seekers in order to bring them in and turn them to the Khawarij will. For some time now the security services and governments of the world have been trying to see how they can combat these memetic viruses online and so far no one has been able to come up with a solid solution. Those wh0 are seeking will latch onto anything that they feel an attraction to and it has been since time immemorial. Cults, and religions both rely on this to build their base, belief is key and the means to that end is dogma.
In Ahmad’s diary we see this in action and we see the brain washing and self delusion that goes on here with the repetitive statements in this journal that he used to egg himself on to action. No doubt he wrote this out and continued to do so as he built the bombs. All of this, all the language is a means to an end to justify to himself his actions. Actions fed to him by the propaganda online, in person, and programmed into him and all the others who are willing to listen, to believe, and to act.
Pawns of the Khawarij.
I truly hope we can come up with a means to combat such memetic viruses but so far I see no hope of it. Prepare yourselves for the other weak minded jihobbyists out there to try and catch their own brass ring of importance. Just don’t let them enable fear to win and change the course of our governance to a fear based one… Well… One that is more so than it already is.
In 2013 I wrote about leaderless jihad and the “Stand Alone Complex” Now we are seeing this type of leaderless, “inspired by” thought virus playing itself out on the national stage. Last nights attack using a lorrie was something that was presaged by two issues of Inspire Magazine back in 2010 and 2014. There isn’t much to it really to gather some weapons, steal a truck, and then plow it into a crowd but it has taken this long for the insidious idea to take root in the collective unconscious of the would be jihadi’s. The days of a more rigid and trained “jihad” are being eclipsed by would be unbalanced individuals seeking attention and reinforcement of their sick ideas through the media, the internet, and our collective inability to look away from a tragic scene on a glowing screen.
Soft targets were always the preferred avenue of attack but now they are becoming seen as a top priority for security forces since the attacks in France and other places like Bangladesh. While Dahka on the face of it had a contingent of more trained individuals the attack last night is as simplistic as they come. This is what is really scaring the populace and the security services because now it seems that the authors and actors of these acts are in fact just one guy and not a cabal that they could perhaps track using pervasive surveillance. A cell of one is hard to track and certainly if they self radicalize by just downloading Inspire magazine and watching YouTube, well, what can one do? There are no easy answers here in the world of detection and prevention.
So here we have it, I have been pointing this out for a while and at first it was AQAP trying to inspire “OSJ” or Open Source Jihad. Now Dabiq and Da’esh are carrying it on and furthering it with the media zeitgeist that ensues with each attack. The net effect here is that these people are selfradicalizing with the help of the media’s obsession on covering ad nauseum these acts. The pervasive hand wringing and talking heads only serve to whet the appetite of the would be jihobbyist into action. Forget the Inspire magazines and the videos, just watch CNN and that is enough it seems. This all is very much like the plot line to “The Laughing Man” arc of Ghost In The Shell. An act carried out on the media instilled others to carry out like acts to be on the media and further the idea(l) as well as serve as a means to self fulfil the actors need for attention and satisfaction.
This is pure psychology at work and there are a host of reasons and syndromes that could likely be pointed at to rationalize it’s happening. The fact of the matter is that now we are seeing it play out rather bloodily on the streets of the world in furtherance of an idea and ideal set that lends itself to the like minded.. Or should I say mentally ill? Yes, I would say mentally ill. These actors are acting out and likely have some borderline tendencies to start with. These people feel outcast in their societies or out of place within the societies they are living in as a second generation citizen. It is a complex thing to nail down and I suggest that anyone who might want to delve into it further read “Leaderless Jihad” by Marc Sageman.
We need a more nuanced approach to the GWOT and I am afraid we won’t get that…
Recently, a reporter that I know came to me asking if I would look at this ICIT-Brief-The-Anatomy-of-Cyber-Jihad1 and give input on it. They wanted to have my opinion because the firm that wrote it was seeking a reporter to flog it on their news site. I told the reporter after looking at the “analysis” this exact quote; “This report is the marketing equivalent of yelling fire in a crowded theater” Well, it seems that CNBC bought it though and my hand has been forced to write about this travesty. ( CNBC Report that forced my hand ) I told the reporter to back away slowly and to their credit they did. CNBC not so much. So here I am going to outline how this report is full of marketing and cognitive bias and wild assumptions. Oh, and that is if you can get past the hyperbolic language in the first graph…
I shit you not..
Cyber Caliphate & Junaid Hussain:
The report goes on a long time talking about Da’esh and their origins. While much of that data is right on the report starts to go off the rails once they begin talking about the “cyber” part of the picture. They start off by talking about Juny and his cybering, the defacements out there, and the propaganda war that is still ongoing by the likes of Da’esh, AQAP, Boko Haram, etc. Which is all fine, mostly accurate, but then they start to talk about “possible capabilities” after they just pretty much said “They aren’t that capable” Cognitive dissonance much there guys? The truth of the matter is that to date, the propaganda war is the biggest and most dangerous war here, not the so called cyber war that this “analysis” is pimping. I have been following this stuff since 2001 and Juny is the new Younis Tsouli really, both were/are moderately skilled in hacking but not much more than that. Both were much more a propaganda figures, and more dangerous in that capacity than any of their hacking skills. In fact, in the case of Younis, he got the heat and popped for that very reason, he was making a splash and attracting followers. Juny had that very same skill set and became much bigger a deal because he caught the zeitgeist for the jihobbyists out there with his mouth on Twitter. This is why he was killed with a hellfire, not because he hacked any big databases or got the real dope from some hack. In short, both were a danger because they had followers, and those followers were radicalising off of their jihadi bluster online and caches of propaganda from the main marketing teams of their respective terrorism groups. (AQ for Younis and Da’esh for Juny)
Of course the report would not be scary enough without the “Cyber Caliphate” an operation that Juny lamented was just him, no one else, before he got whacked on Telegram. That’s right kids, Juny was pimping something and making shit up. Once Juny got whacked you know what happened? Groups of guys like Team Fallaga took up the mantle and went on to deface pages like the dickens! “OOH SCARY DEFACEMENT BRO” While the report states this, and some of the other information I just mentioned, they then go on to analyse and say that these guys aren’t capable now but someday… SOMEDAY they could be. Oh really? You don’t say! Sure it is possible but it is not likely. Given that most APT activity takes money, time, and cohesion, the jihadi’s are all over the place and usually small disparate groups of skiddies, not solid hackers. So, the scare tactic of analysis is way off the mark in this report and this is why I told the reporter to step back slowly from their pitch. If this group had left it at that, it could happen but it is not likely I would have had some respect for them. Instead they chose the other scare the client into buying shit route. As for Cyber Caliphate and all their other silly acronyms, none have shown that they are a credible threat to much else than an insecure web page. No real data has been hacked and their “data drops” of enemies to kill have all come from open sources on the internet. Sure, is it problematic that they are doing this? Sure. Is it a clear and present danger of cyber capabilities that they could strike the grid next?
I need not say more right?
… But I will.
DO YOUR GOD DAMNED HOMEWORK AND QUITE THE FEAR MONGERING FOR MONEY!
CYBER JIHADI DARKNETS
Of course these guys could not miss an opportunity to scare and of course they had to use the scary “Dark Net” or “Deep Web” I have been on the dark net for a long time and I will tell you I have found a few sites but nothing there is that scary. In fact, to date, the sites either have been hacked soon after and taken down, or just sit unused. So really, the dark net is no threat here. Sure, the jihadi’s are using technology to obfuscate their chats now and trying to hide in the “deep web” of un-spidered content but the reality is most of this stuff is non operational. What the jihad today (Da’esh) wants mostly is to radicalize and activate those in the US like Omar Mateen without even really having contact with them.
So, the darknet… Not so much a terrorist haven kids. Sorry
Overall Analysis of Scare Marketing and Cognitive Bias
This report is a travesty of a tissue of what if’s that really is just a pulp thriller wannabe disguised thinly as a marketing piece cum serious analysis of Jihad online.
Please believe none of it.
Well it has been some time since I cared enough to actually look at the media being put out by Da’esh (Al-Hayat) never mind the ever present Inspire magazine put out by AQAP and Al-Malahem. Things however have reached a point where I am going to speak up again on what is going on with the GWOT as it is called. Yesterday there was a report put out about fifty intelligence analysts who officially complained about their analysis products being cherry picked or edited to suit the administrations needs and this in tandem with the drops of both magazines at nearly the same time had my interest piqued. It feels like once again history is repeating itself with intel being managed or changed to suit the needs of the politicians who are the consumers of that intel. Does anyone really remember the run up to the Iraq invasion and the machinations of the WHIG at all today? I guess in the vast sea of what is claimed to be journalism, the truth of matters is often lost but if you pay attention sometimes you can get some clarity.
The biggest part of the revelations by the intelligence community analysts is that they say we are losing ground with Da’esh in reality, not as the administration would like us all to think. Personally for me I have been of the opinion that drone strikes and a propaganda war has done absolutely nothing for the greater good and that we are in fact stagnant in ideas or means to stop the Middle East from becoming a sectarian bastion. The “Land War in Asia” thing aside, we have no real good plan for helping the moderates because we keep propping up the despots as bulwarks or as necessary evils in the game of Middle East Go. Since I am not a politician, nor am I anyone with any real pull I am stuck here just watching the conflagration while the rest of the world accepts media word-smithing ‘refugee’ to ‘migrant’ with bile rising in my throat.
Back to the magazines and their coincidental dropping at the same time on the same day. In looking at them they are both quite different in tone and direction. While the Inspire is the usual ideologue format it has some scary content in that it is giving directed ideas to the would be jihobbyists with their OSJ (Open Source Jihad) sections ranging from how to make a hand grenade to a call for the ‘Lone Wolf Caravan’ to carry out assassination operations. This call for the assassination ops has been one of the more focused notional magazines that I have seen out of AQAP and as such, with the successful attacks in recent past by lone wolves or small groups of actors without direct training by AQ/AQAP/Da’esh is concerning. Given the media savvy approach of the magazine with Inspire and then the alternative wind up of slick media on youtube by Da’esh, I have to think the synergy would create some new converts. Honestly folks, watching all this play out is much like watching the evolution of Batman and Joker.
Here are some highlights from the Inspire 14 issue:
Yet another IED but this time they want to have hand grenades much like the attack in Mumbai. The plans are simple and effective. One only hopes that some of these guys make a mistake and lose a limb in process
Dabiq though, is another story altogether. It seems that the boys at Al Hayat are very very wordy. In their mag we have much more pedantic text concerning the millenarian ideal that Da’esh is purported to have. Though really only one section of the magazine has a direct line to that ideology at all. The rest is text, lots and lots of it, that may as well just be great swaths of the Qu’ran for all I care. I guess overall though I have to equate the Dabiq to everything I have seen out of Ayman Zawahiri on the depth and breadth of pedantic arguments. Ayman and others like to spout all kinds of erudite scripture while the AQAP guys are ‘BLOW SOME SHIT UP!” which is odd given the nature of the media campaign we see on Twitter and YouTube by Da’esh. There is some disconnect here in the Dabiq magazine with all the text but they do try to intersperse some blood and guts type of things as well to keep the reader interested.
Frankly, I think Da’esh are still trying to figure out the magazine business…
Highlights from Dabiq 11
In an ideological war such as we are seeing played out by vying Islamist parties like Da’esh and AQAP the clear winner in trying to evince a more stable and likely successful attack by a jihobbyist would be what you see in Inspire. This has been the modus operandi of AQAP for some time anyway so there is nothing new. Meanwhile if you watch the news and look at the article written by Mike Scheuer Da’esh has been not only making noise online but also able to take key areas of the region physically. There is a propaganda war being played out but how much of that is really germane to the GWOT as a whole? With the death of Junaid Hussein for being a propaganda mouthpiece for Da’esh and the fallout since calling into question the extra-judicial nature of the killing one can see how much more prescient in the news cycle the propaganda war seems to be while the actual physical boots on the ground war is seemingly absent.
So yes, these two magazines show the varying ideals of how they want to prosecute the jihad. Da’esh seems to be very focused on the grounds for their beliefs to bolster their claim of a Caliphate while AQAP is actually prosecuting the war against the West hoping that players in the West will act. Given the nature of Inspire I can see this happening much more possibly than anyone sitting down for a good read of Dabiq. Frankly Dabiq is much like it’s cleric, shadowy, full of rhetoric, and in the end likely to be empty of any real Muslim ardour for religions sake. Either Abu Bakr is an Islamist Jim Jones cum Joker or he is a wannabe Ernst Stavro Blofeld in my mind.
My primary concern now is that Inspire has laid out some new ideas that the jihobbyists will take up and use. These are not super secret methods but things that with the advent of the internet are even easier to carry off (i.e. OSINT, planning, connecting etc) to carry off an assassination. It is also more a matter of action than it is discourse or belief in the Qur’an the way that the AQAP guys present the material. Sure the underpinnings are all about being a good Muslim and ridding the ummah of the West’s boot on their collective throat (perceived) but they are second to the slick pictures and notions of being a James Bond figure.
Finally, when Da’esh reaches the same point with their magazine I will worry more that a flotilla of fanboys will latch onto their crazy with much more information and perhaps pull off an assassination. Until then, I will just watch the propaganda war play out as we really do not much of anything in the field to really root out the problem in the first place. The games must end and this tit for tat drone war is not going to do it for us.
As an interesting aside to the more technical out there. When getting the new issues of the magazines it came to light that someone has been playing with the supply chain again. The August 31 drop of the alleged Dabiq 11 issue not only on archive.org but also on a slew of shortened addresses (t.co) were actually malware.
In this case the malware seems to have been a keylogger. I have seen other files come out the same way and one has to wonder if it is the IC or if it the guys playing the home game. In any case, when you download these things be sure you run them through some tests. That is unless you don’t care about being pwn3d by a nation state.
Nuclear Bomb of the Mujahideen:
AS IF the jihadi’s were listening to some people in the media they responded to a dearth of their particular brand of crazy in the darknets by adding a new site Monday. The Nuclear Bomb of the Mujahideen is a single page on the onions with six download links for documents on how nuclear weapons work, how to make one, and how to calculate the effectiveness of materials and fallout. Yes indeed, the darknet is now indeed scary because the AQ centric author of this single page has uploaded old data from 2006 that was circulating the clearnet on the jihadi boards back then.
So below I have some screen shots of the documents including the excel files that they left for calc’s to be made by some hapless jihobbyist who might try to make this happen. Frankly since there is nothing new here this is kind of a non story story BUT I wanted to get this on the blog before the MASS MEDIA SCARE engine sparked up and suddenly FOX is talking about the end of the world because DARKNET! This is not the end kids and in fact I think it much more likely that a dirty bomb would be used before some nuke was created by some group of jihadi’s or Da’eshbags.
Here are the details of the site:
- Created Monday 6/22/15
- Single page
- 6 downloads
- Email address of the creator is: email@example.com
- Old data
- Excell and PDF’s uploaded are malware free (at this time)
- Excel files do have macro’s though so there is that.. VT came up clean but MALWR.com failed me today (500 error)
- Data is taken from government and science files on clearnet
- Files created on system with Latin as base language not Arabi
- Yes.. the feds now know about the site.
So take a gander at the images below then meet me at the metadata section!
Implosion calculator for the package (Nuclear material fission)
What is more interesting from a DFIR kind of perspective is all the metadata that was left by the guy who put this site up and loaded those files. It could be all old data and I will have to go through my files to locate these pdf’s from 2006 to compare but let’s take a look shall we?
Dude’s a Winderz user
You can see where the 2006 files came from there…
Using MS office and PDF machine!
MOAR PDF details
So what do we have here? Well, the creator not creating anything new. In fact the documents all come from the 2006 range (pdf’s) or 2014 in the case of the Excel files. So someone just downloaded these and then uploaded them to this site on Monday. Now, what I will say though is that they have enough comprehension of nuclear tech to include the excel files on the radiation fallout and calc’s for implosion but really, not much more than that. For all intents and purposes this could be a troll from someone who just Googled a bit and came up with a zip file to add to this site.
On the other hand, could this bee a phish of sorts? Why the email address? Feds? Or is this a real believer who wants to have the tech in the darknet and wants to have a discussion via mail2tor? I have to wonder about this and I may in fact email them to see what I get back. Since the files seem to be malware free (at this moment) I am going to say this is 50/50 a troll or a true believer. Though, the coincidence that a report on how there is a lack of terrorism (jihadi) in the darknet and suddenly this site appears, well, trollhard my friends.
Ok back to the media.. DON’T FREAK OUT!!! This is nothing. You have more to fear from your IP enabled toaster exploding like on CSI Cyber then you do of some numbnut finding fissile material on a darknet market and using these guides to make a bomb. Believe me.
I recently gave a presentation at Mass Hackers on “Online Jihad” which went very well. While I was covering the online jihad, the topic of Darknet Jihad came up as well, it usually does when anyone talks to me about the subject. Well, since giving that presentation I have seen various and sundry gubment types claiming that the “Jihadi’s are using the darknet! OMG! It’s why we need to have crypto front doors and de-anonymize the darknets!!!!”
I am writing this post to set the record straight and to make a point… A cryptic point that someone reading this will get and you know who you are. The darknet is on the whole NOT being used by jihadi’s to hide their comm’s in the sense of going to darknet sites. Please for the love of everything sane, all you gubment types and wanna be spies get that the fuck into your heads right the fuck now.
Yes, the jihadi’s are using TOR and other VPN’s in attempts to hide their traffic on the “clearnet” but no, they are not gathering in large groups in hidden services sites on the actual “darknet” This is an important difference that many in the media and in the government either don’t get or don’t want to get in favor of having a scary scary thing to say to get the other ossified gubment workers (aka the Senate and House) to capitulate out of fear to their crypto breaking desires.
So lemme mansplain for you all about just what is going on in the darknet and what is not ok?
Darknet Jihad Funding
What you see above this text are two sites that have appeared in the darknet and these have been the most tangible and visible of anything out there to date. The top picture is from a site that had a real bitcoin address and appeared in 2013 I believe. I wrote about it back then at least so maybe it was around in 2012. In the end though it amassed about 1200 bucks and then it was cashed out. Personally I think it was a scam site but who’s to know really.
The second more recent site is directly supposed to be a Da’esh site and it appeared last month on the darknet. It’s bitcoin address is real as well but to date has had no money put on it. This site too smells more like a fake or a dangle by an agency than anything else. Why? Because the fact of the matter is that to date, I nor anyone I know in the know, have found ANY other sites out there on the darknet, in the hidden services, at all that is jihadi in origin or aegis. None. Niente. Nada.
Of course there may be super secret sites that only a select few know the address of or maybe they are just using other sites like market places as dead drops but even this sounds a little too esoteric for the nitwits we see today in jihad and jihobbyism online. There is just no there there man, nothing to hang your crypto is bad hat on Mr. gubment guy! Ok ok ok, there was one upload to a file server in the darknet for one manual but the link was given on the clearnet jihadi board so how the fuck super secret is that?
Meanwhile Back In The Clearnet….
Ok so now that I have made myself I think crystal clear, let’s talk about what the jihadi’s are doing that I and others like me have seen. For the most part they have taken to TOR and TAILS like a mother since the Snowman dumps. This is to be expected right? I mean, look at all of us in the security community talking about this shit too right? If we say that it is better to TOR up or use TAILS to protect our basic security and privacy it stands to reason that these jihadi mo mo’s will too huh?
This is not rocket science kids…
Oh and yeah, since TOR has become every so user friendly, it is a natch that these guys will install it and use it on anything and everything that can run it. If you look below here you can see how they are using various tools on various platforms like Android just to reach their Da’eshbag Twitter accounts so they can spew their derpy propaganda!
So yeah, they are using TOR, TAILS, and anything else they think will give them an extra layer of protection. I have seen tutorials in Arabi all over the place for them to use and the mandate from the Da’eshbag pooba’s on how to be secure online. This however does not stop them from getting a JDAM shoved up their asses though when they take selfies am I right?
Right, anyway, the skinny is that until these guys are all digital natives they aren’t going to be living and lurking in the darknets. Sure, they will have TOR, and sure they will have encrypted chats but hey, WHEN THE FUCK DID WE NOT HAVE THOSE OPTIONS TO START HUH? Really, for fucks sake stop it with the scare tactics USGOV and every god damned three letter agency! How about this, you say fuck all to the tech fixation and the shortcuts and you all get your HUMINT game back on?
That is how you will win this war. Make friends, find out where they are, and then JDAM the fuckers.
CORRECTION: According to a tip I got from
@Apate1114 there was a site back in 2012/2013 that was alleged to be a standard jihadi type site. In looking for any kind of backstop on this all I could locate were links that described the onion site in question (http://p2uekn2yfvlvpzbu.onion) In February 2013 it is listed as “http://p2uekn2yfvlvpzbu.onion/ – Armas entrenamiento militar etc”
Another site lists a file on the site for that time showing a pdf for a .50 cal rifle: contru�ao rifle:p2uekn2yfvlvpzbu.onion/arm/50calRifleConstructionManual.pdf Neither of these says jihadi site etc and unfortunately I have not seen an archive of the site.
I had a chat with @Apate1114 and they gave me a correction to the above. They provided a bad link there. The link is in fact instead: aub35xzuj7wslusm.onion and is no longer up. The site that was linking it in 2013 is seen below:
This site, aljyyosh, calls the onion site موقع عربي غريب which is “weird website” Since then, nothing has been seen of this site in the onion but as you can see on aljyosh there are plenty of tutorials on how to Tor.